Secured.21—Barracuda’s global virtual customer conference, which is wrapping up today, saw several announcements of new products and services from Barracuda. One of these new products, Barracuda Data Inspector, is designed to support regulatory compliance efforts and protect organizations against both malware and the risk of exposing private or protected information.
To better understand how Data Inspector works, who can benefit from it, and why its release is especially timely in the current environment, we decided to sit down with Alon Yaffe and ask him a few questions. As Barracuda’s VP of product management for data protection, he’s definitely the right person to ask.
Q&A with Alon Yaffe, VP Product Management, Data Protection
What challenges or problems does Barracuda Data Inspector help customers resolve?
Well, it addresses a number of challenges, but I’d have to say that the most pressing and immediate one is related to regulatory compliance. We all understand that with regulations like GDPR and CCPA in effect, the penalties for exposing certain kinds of protected data can be very severe. But as any compliance officer can tell you, company policies only do so much, and a “trust but verify” approach tends to work better than just “trust.” Users all too frequently store data such as credit card numbers, Social Security numbers, passwords and credentials, scanned images of driver’s licenses or passports or medical insurance cards, and so on in locations that do not follow their companies’ security and compliance guidelines — for example, OneDrive and SharePoint.
And of course now with everyone working at home, interactions and conversations that would have been verbal and in-person are now digital, with everything being stored in a document of one kind or another, so that is making the problem more acute.
Until now it’s been very hard to get real visibility into how widespread the problem is. As a compliance officer, you don’t know how many instances of poorly secured private data are in your network. This is clearly borne out by our 2021 survey of Office 365 users, where 73% of respondents said they were concerned about data-privacy compliance.
How does Data Inspector help customers achieve compliance?
Barracuda Data Inspector is a cloud-based service that continuously scans your OneDrive and SharePoint accounts, searching documents for many different kinds of private or sensitive data. It’s even able to scan images using optical character recognition (OCR), so it can identify scans of driver’s licenses and other documents with sensitive data.
When Data Inspector finds documents that match any of the data types we are looking for, it generates a report so the admin gets to see all the potentially sensitive data we found, and where it is and who has access to it. And—this is important—when you click through to the specific items listed in the top-level report, we show you a preview where the actual sensitive data is redacted. We do this because we want the admins to be able to verify the findings in the context of each file, but we also want to make sure that we are not contributing to the proliferation of sensitive data when we share the findings. In other words, we think it’s really important for admins to know if users store clear-text passwords in documents, but we don’t think the admins really need to know what those passwords are.
In addition to that, we allow admins to configure notifications that would alert end users to the presence of sensitive data in their documents, and we think that this will help reduce the frequency of the problem going forward, and even accomplish some user education about being more attentive to what sort of data should be handled carefully.
What else can Data Inspector discover?
In developing this product, we realized that a surprising amount of malware was also being unknowingly stored in many SharePoint and OneDrive environments. So, in addition to the primary scans for sensitive data, Data Inspector also uses Barracuda Advanced Threat Protection to filter for malware.
Doesn’t Microsoft provide these capabilities natively within Office 365?
If you have a pretty high-tier enterprise-level subscription, such as E5, you do have access to the Office 365 Compliance Center, and that does provide some of these capabilities. But one thing is that it does not include OCR image-scanning. And that really turns out to be a very important capability. It’s just amazingly common for people to file, say, order forms with credit card numbers on them by scanning them and saving them to OneDrive. And all kinds of personal docs, such as driver’s licenses and passports, tax returns, just an incredible variety of things, they all get scanned and uploaded to the corporate OneDrive just because it’s so easy and convenient. So that’s a really important difference that sets Data Inspector apart.
Is there a concern about false-positive or false-negative results?
Of course, no system is perfect, so there is always a chance Data Inspector can misidentify something as sensitive data or possibly miss data that is actually sensitive. We welcome customer feedback about the quality of the detection.
Does Data Inspector modify documents on OneDrive and SharePoint? Can it delete files that contain sensitive data?
At this time, Data Inspector only uses read-only access to Office 365, so it cannot delete or alter any data in your OneDrive or SharePoint environments. The current capabilities are focused on scanning, verification, and notifications. And by the way, all the notification capabilities are easily configurable by the customer. We recommend that you start off just getting admin notifications in order to understand the baseline scope of things, and if you want to enable end-user notification we recommend you give your users a heads-up so that they know what’s coming.
Have early customers been using it in the ways you expected?
We’ve had some really good feedback from early customers. Many of our customers were surprised by what Data Inspector found in their environments, and that helped them start internal discussions about compliance and data security. There are a bunch of features we ended up adding to the product because of customer feedback, such as the ability to automatically notify end-users if sensitive data is found in their OneDrive accounts.
Is there anything you want to add about Barracuda Data Inspector?
First, I want to stress that it is really a very simple and easy-to-use service. You can implement it with very little effort, and once you switch it on it just works. The reports are clear and easy to read. So, it definitely fits in very well with Barracuda’s existing focus on simplifying difficult IT tasks.
And going forward, we expect to build on the platform to enable more sophisticated notifications and policies, as well as scanning of other types of data stores beyond OneDrive and SharePoint. Because obviously those are not the only places that may have private data and unrecognized malware hiding in them.
Tony Burgess is a twenty-year veteran of the IT security industry and is Barracuda’s Senior Copywriter for Content and Customer Marketing. In this role, he researches complex technical subjects and translates findings into clear, useful, human-readable prose.
You can connect with Tony on LinkedIn here.